3eff31a9084b4a8a1587ba2fc43ab4e055e70979
hiram
  Tue Apr 28 14:53:55 2026 -0700
eliminate the HTTP_REFERER check and depend just on the userId cookie for security refs #31811

diff --git src/hg/hubApi/findGenome.c src/hg/hubApi/findGenome.c
index 63c63ba8ee8..cd75f1c59e4 100644
--- src/hg/hubApi/findGenome.c
+++ src/hg/hubApi/findGenome.c
@@ -554,57 +554,36 @@
  */
 {
 char *extraArgs = verifyLegalArgs(argAssemblyRequest);
 if (extraArgs)
     apiErrAbort(err400, err400Msg, "extraneous arguments found for function /assemblyRequest '%s'", extraArgs);
 
 char *asmId      = cgiOptionalString(argAsmId);
 char *name       = cgiOptionalString(argName);
 char *email      = cgiOptionalString(argEmail);
 char *betterName = cgiOptionalString(argBetterName);
 char *comment    = cgiOptionalString(argComment);
 
 if (isEmpty(asmId) || isEmpty(name) || isEmpty(email))
     apiErrAbort(err400, err400Msg, "must have arguments: %s, %s, %s for endpoint '/assemblyRequest'", argAsmId, argName, argEmail);
 
-/* require referer to be our own assemblySearch.html, mirroring apiLiftRequest */
+/* Require a session cookie.  Robots that have not
+ *   passed the challenge will not have one. */
 char *cookieName = hUserCookie();
 char *userId = findCookieData(cookieName);
-char *referer = getenv("HTTP_REFERER");
-char dir[PATH_LEN];
-char fname[FILENAME_LEN];
-char ext[FILEEXT_LEN];
-if (isNotEmpty(referer) && isNotEmpty(userId))
-    {
-    /* assemblySearch.html uses history.pushState to add query strings to its
-     * URL, so the referer arrives as e.g. ".../assemblySearch.html?searchBox=foo".
-     * Strip query/fragment before splitPath so the .html extension matches. */
-    char *cleanRef = cloneString(referer);
-    char *q = strchr(cleanRef, '?');
-    if (q) *q = '\0';
-    q = strchr(cleanRef, '#');
-    if (q) *q = '\0';
-    splitPath(cleanRef, dir, fname, ext);
-    if (! (endsWith(dir, ".ucsc.edu/") && sameWord(fname, "assemblySearch") && sameWord(ext, ".html")))
+if (isEmpty(userId))
     apiErrAbort(err400, err400Msg, "can not find required inputs for endpoint '/assemblyRequest'");
-    freeMem(cleanRef);
-    }
-else
-    {
-    if (! debug)
-        apiErrAbort(err400, err400Msg, "can not find required inputs for endpoint '/assemblyRequest'");
-    }
 
 /* the ottoRequest table has no name/betterName columns, fold them into comment */
 struct dyString *fullComment = dyStringNew(0);
 dyStringPrintf(fullComment, "name: '%s'", name);
 if (isNotEmpty(betterName))
     dyStringPrintf(fullComment, "; betterName: '%s'", betterName);
 if (isNotEmpty(comment))
     dyStringPrintf(fullComment, "; comment: '%s'", comment);
 
 char nowTime[256];
 time_t seconds = clock1();
 struct tm *timeNow = localtime(&seconds);
 strftime(nowTime, sizeof nowTime, "%Y-%m-%d %H:%M:%S", timeNow);
 
 struct dyString *msg = dyStringNew(0);